您好,游客!

您好,新朋友。点击以下按钮加入我们!

External @resource from a disallowed domain

About: Includes : WinConfig [Preview]

@JasonBarnabe, our external scripts policy should be updated to mention @resource too as it can be used for malicious code injection (pastebin.com is one of the sites that allow editing of the posted content afterwards).

@BalletduckNinja, put the CSS text inside the code, otherwise the script will be deleted.

评论

  • I think this is the whole point of using @resource tag, to load the external resources..?

  • 最后编辑于 May 2015 Chrome

    I think this is the whole point of using @resource tag, to load the external resources..?

    Yes, the same as @require is used for external resources. Both can easily be used for malicious code injection, that's why @resource should also be restricted. It's quite obvious, isn't it? What I mean is we should only allow it from whitelisted domains, starting from the same list as @require, later some more verified domains could be added that verify the contents through an automated syntax checker, for example, that only allows CSS. Of course a really malicious author could put js code into a publicly available image via steganography, download/decode/execute it, but that's a more difficult task and the bad people haven't yet started using it as far as I know (or rather, they use more efficient methods).

  • I actually barely know how to script, I've just been trying to fix what seem like broke scripts I've been trying to use. Mind telling me how to do that?

  • 最后编辑于 May 2015 Default Browser
    BalletduckNinja 说道:

    I actually barely know how to script, I've just been trying to fix what seem like broke scripts I've been trying to use. Mind telling me how to do that?

    Replace: GM_addStyle(GM_getResourceText("winConfigCss"));

    With:

    GM_addStyle((function(){/*

    * All Your CSS Hode Here *

    */}).toString().slice(15,-4));
    But the script will be too long.. I think.
    wOxxOm 说道:

    Yes, the same as @require is used for external resources. Both can easily be used for malicious code injection, that's why @resource should also be restricted. It's quite obvious, isn't it? What I mean is we should only allow it from whitelisted domains, starting from the same list as @require, later some more verified domains could be added that verify the contents through an automated syntax checker, for example, that only allows CSS. Of course a really malicious author could put js code into a publicly available image via steganography, download/decode/execute it, but that's a more difficult task and the bad people haven't yet started using it as far as I know (or rather, they use more efficient methods).

    Yes, but I believe such legal use should be permitted, unless someone abuse this functionality.

    A quote from Jason:
    JasonBarnabe 说道:

    There's lots of clever ways around whatever technical blocks we put in place. There will always be a need for eyeballs on the code to determine what it's really doing. But just because we can't block all of the stuff we want, doesn't mean we shouldn't block as much as we can. I want to make it as hard as possible for the bad actors to post their stuff to the site. [ ... ]

    So what we need to do is identify patterns that are being used to do bad things or to obfuscate and to see what effect blocking them would have on legitimate uses.

    We could potentially have a list of things that are suspicious but not necessarily malicious, and flag those for some kind of review.

    I do not mean to offended or insult you.. Please forgive me if I did by accident :(
  • I think @resource should be allowed no matter where the resource is.
    It is no more dangerous than GM_xmlhttpRequest.
    Disallow it just because it can be used to inject scripts is unreasonable. Injecting a script tag with external URL, or using GM_xmlhttpRequest can do the same thing and is much easier.
    The rule of external script do not only focus on @require. If some script inject script tag with external URL, use GM_xmlhttpRequest to get a script and run it, or use @resource and eval the script result. It can be removed here since it violate the rule. But this one just use it as CSS, and that should be allowed.
  • 最后编辑于 May 2015 Chrome

    Well, the same justifications apply to @require, but it's restricted, despite the fact it's mostly a nuisance for legit scripts.

话题已锁定。